Does My Business Need a Data Protection Officer?
Does my business need a data protection officer, or can I do without one?
If you were wondering whether you should appoint someone from within your company or hire someone from outside to be your DPO, or if you even need it, you came to the right place for an answer.
In this article, we’ll explain exactly what businesses need to have a data protection officer and who can be a DPO, so let’s start.
Does My Business Need a Data Protection Officer?
Since the GDPR introduced the position, many business owners have wondered whether their business needs a data protection officer.
To answer this, we first need to understand what is a data protection officer or DPO.
A data protection officer is an individual or a service whose primary responsibility is to ensure that its organization processes the personal data of data subjects (customers, employees, or other individuals) in compliance with the data protection regulations that apply to it.
So, do you need someone like that in your company?
Luckily, we don’t have to guess too much as the European Commission provides an answer to this question.
Your company/organization needs to appoint a DPO, whether it’s a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals.
What Kind of Businesses Require a Data Protection Officer?
To answer what kind of businesses require a DPO, we’ll turn to Section 4, Article 37 (Designation of the data protection officer) of the GDPR.
The controller and the processor shall designate a data protection officer in any case where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data.
There are a couple of things that we need to unpack here for better understanding here:
Core activities refer to the business’s “primary activities.” For instance, “core activities of a real estate agent include buying, selling and renting properties on behalf of their clients.
Unfortunately, the GDPR does not define “large scale.”
Viljar Peep, Estonian data protection commissioner, gives his definition in a LinkedIn post:
It is supposed to be large-scale processing if it covers the following:
- Special categories and/or criminal convictions/offenses of data of at least 5,000 persons
- Data causing a high risk of at least 10,000 persons
- Any other data of at least 50,000 persons
Of course, the numbers can be arbitrary, and the threshold will not be the same in different countries.
For instance, according to the Germny’s Federal Data Protection Commissioner, “large scale data processing” operations include over 5 million people or a minimum of 40 percent of the relevant population. You’ll need to visit a compliance consultant to figure out what your specific legal landscape looks like.
Finally, the UN’s WP.29 recommends considering the following factors when determining if your business is processing data on a large scale or not:
- How many data subjects are involved? You can go with a specific number, like 50,000, or a percentage, such as 40 percent.
- Volume and/or range of processed data items
- How long does the data processing activity take
- And the geographical extent of the data processing
Regular and Systematic Monitoring
Again, the GDPR does not define “regular and systematic monitoring”, but we can conclude that it refers to any form of tracking and profiling, whether online or offline.
More specifically, for monitoring to be regular, it has to be ongoing or happening at particular intervals, whereas for it to be systematic, it has to be in some manner organized or pre-arranged.
Finally, the last part of the explanation refers to special categories.
Luckily, the GDPR’s Article 9 (Processing of Special Categories of Personal Data) gives us a clear definition of what these are.
Special categories include:
- Personal data that reveal racial and/or ethnic origins
- Data regarding the person’s sex and sexual orientation
- Biometric and genetic data are processed to uniquely identify a person
- Health data
- Someone’s religious, philosophical, and political beliefs and opinions
- Trade union memberships
So, if your business falls into any of the above categories, regardless of its size, it needs a data protection officer.
Who can be a Data Protection Officer?
Of course, not everyone can be a DPO.
This can be either an individual or an organization that is an expert in data protection and can perform its function independently, without interference.
A DPO can also be someone from the company or hired externally, and a single DPO can work with more than one company at a time.
If you’re looking to hire someone as a DPO, you will need to look out for these things:
- Relevant education, preferably in the fields like law, data protection, privacy management, or information security
- Familiarity with relevant data protection laws like the GDPR or ADPPA
- Specific experience and background, particularly in data privacy and protection, compliance, risk assessment, etc.
- Technical and analytical skills such as legal knowledge, communication skills, software skills, and so on
- The ability to stay up-to-date on the regulations, best practices, and technologies that are relevant to their position
Do small businesses need a data protection officer?
The appointment of a data protection officer (DPO) is not based on the size of the business but on whether that business’s “core activities” include “large scale” and “regular and systematic” data processing.
In other words, a small business that processes data of, say, 50,000 individuals will require a DPO.
Does my company need a data protection officer?
Your company may need a data protection officer or a DPO if:
- Its “core activities” include data processing
- It processes data on a large scale (i.e., 50,000 individuals)
- It does so regularly and systematically
- It processes “special categories of personal data (data related to the person’s racial and ethnic origins, religious/philosophical/political beliefs and opinions, sex and sexual orientation, etc.
Why would someone need a data protection officer?
A business may need to appoint or hire a DPO to meet its regulatory data privacy requirements.
Which countries require a data protection officer?
Many countries, in their specific data privacy and protection regulations and laws, require a person or company who will be responsible for protecting personal data.
However, only the EU and a few other countries specifically call this a “data protection officer.”
For more reference on DPO requirements by country, it’s best to look at the IAAP.
Does a DPO need to be in Europe?
No, a DPO does not need to be based in Europe.
Data protection officers play an essential function in businesses, safeguarding important data and being required by law in many cases.
At Captain Compliance, we serve businesses by providing an outsourced compliance service that can act as a data protection officer.
Get in touch with our team of compliance superheroes at Captain Compliance today, and we’ll help you safeguard your data in no time.